Method and apparatus for restricting access to private information in domain name systems by filtering information

US 5,958,052 A
Filed: 07/16/1996
Issued: 09/28/1999
Est. Priority Date: 07/15/1996
Status: Expired due to Term

First Claim

Patent Images

1. A subsystem in a domain name system that filters information and restricts access to private information of a first domain, the first domain being coupled to a second domain and the first and second domains each comprising a plurality of devices, the subsystem comprising:

a switching device that receives a first communication from a first device of the first domain being directed to a device of the second domain, the communication including a first request for private information of the first domain, the switching device redirecting the first request to a second device in the fist domain; and

a filtering device that receives a second communication from the second domain destined to the first domain, wherein the filtering device generates filtered information by removing be private information of the fist domain from message data contained in the second communication and forwards the filtered information to one of the plurality of devices of the first domain.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device and method filter information to restrict access to private information of a domain in a domain name system. The device includes a filtering device. The filtering device filters information received from devices external to the domain by removing the private information before forwarding the information to devices within the domain. The private information includes IP addresses and domain names. The private information also includes any additional information appended to legitimate responses to requests from devices in the domain.

Citations

32 Claims

1. A subsystem in a domain name system that filters information and restricts access to private information of a first domain, the first domain being coupled to a second domain and the first and second domains each comprising a plurality of devices, the subsystem comprising:
- a switching device that receives a first communication from a first device of the first domain being directed to a device of the second domain, the communication including a first request for private information of the first domain, the switching device redirecting the first request to a second device in the fist domain; and
  
  a filtering device that receives a second communication from the second domain destined to the first domain, wherein the filtering device generates filtered information by removing be private information of the fist domain from message data contained in the second communication and forwards the filtered information to one of the plurality of devices of the first domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The subsystem of claim 1, wherein the private information of the first domain includes at least one of a domain lame and an IP address of a device of the first domain.
  - 3. The subsystem of claim 1, wherein the second communication is sent by a device of the second domain in response to a query request by the one of the devices of the domain, the second communication including additional information not requested by the one of the devices of the first domain, the filtering device removing the private information of the At domain from the additional information not requested by the one of the devices of the first domain.
  - 4. The subsystem of claim 1, wherein the filtering device generates filtered information by modifying the second communication based on a local security administrative policy.
  - 5. The subsystem of claim 4, wherein the local security administrative policy is to at least one of replace a pointer to a device of the second domain in the second communication with a pointer to a device in the fit domain and modify a mail exchange record received from the device of the second domain.
  - 6. The subsystem of claim 1, wherein the first communication includes a second request for information that is not private information of the first domain, the switching device forwarding the second request to the device of the second domain.
  - 7. The subsystem of claim 1, wherein the second device is a name server of the first domain.
  - 8. The subsystem of claim 1, wherein the plurality of devices of the first domain is modified to direct all communications with the first domain to the switching device.
  - 9. The subsystem of claim 1, wherein the second device is one of a name server and a resolver and requests for private information from devices in the first domain other than the second device are directed to the first device.
  - 10. The subsystem of claim 1, wherein the switching device is part of a firewall of the first domain.

11. A method of operation of a subsystem in a domain name system for filtering and restricting access to private;
- information of a first domain, the first domain being coupled to a second domain and the first and second domains each comprising a plurality of devices, the method comprising;
  
  receiving a first communication from a first device of the first domain that is directed to a device of the second domain, the first communication including a first request for the private information of the first domain;
  
  redirecting the first request to a second device of the first domain;
  
  receiving a second communication from the second domain destined to the first domain;
  
  generating filtered information by removing private information of the first domain from message data contained in the second communication; and
  
  forwarding the filtered information to one of the plurality of devices of the fist domain.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein the private information of the first domain includes at least one of a domain name and an IP address of a device of the at domain.
  - 13. The method of claim 11, wherein the second communication is sent by a device of the second domain in response to a query request by the one of the devices of the first domain, the second communication including additional information not requested by the one of the devices of the first domain, the generating filtered information step comprising;
    - removing the private information of the first domain from the additional information not requested by the one of the devices of the first domain.
  - 14. The method of claim 11, further comprising:
    - modifying the second communication based on a local security administrative policy.
  - 15. The method of claim 14, wherein the local security administrative policy is to at least one of replace a pointer to a device of the second domain in the second communication with a pointer to a device in the first domain and modify a mail exchange record received from the second domain.
  - 16. The method of claim 11, further comprising:
    - forwarding a second request of the first communication from the first device, to the device of the second domain the second request requesting information not private to the first domain.
  - 17. The method of claim 11, wherein the second device is a name server of the first domain.

18. An apparatus for use in a domain name system, comprising:
- a switching device that receives a first communication from a first device of a first domain, the first communication including a first request for private information of the first domain, said first communication being directed to a second domain, the first and second domains each comprising a plurality of devices, the switching device redirecting, the first request for the private information front a first device of the second domain to a second device in the first domain;
  
  a filtering device that receives a second from the second domain destined to the first domain, wherein the filtering device generates filtered information a by removing private information of the first domain from message second communication and forwards the filtered information to one of the plurality of devices of the first domain.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 27)
- - 19. The apparatus of claim 18, wherein the private information of the first domain includes at least one of a domain name and an IP address of a device of the first domain.
  - 20. The apparatus of claim 18, wherein the second communication is sent by a device of the second domain in response to a query request by the one of the devices of the first domain, the second communication including additional information not requested by the one of the devices of the first domain, the filtering device removing the private information of the first domain from the additional information not requested by the one of the devices of the first domain.
  - 21. The apparatus of claim 18, wherein the filtering device generates filtered information by modifying the second communication based on a local security administrative policy.
  - 22. The apparatus of claim 21, wherein the local security administrative policy is to at least one of replace a pointer to a device of the second domain in the second communication with a pointer to a device in the first domain, and modify a mail exchange record received from the second domain.
  - 23. The apparatus of claim 18, wherein the first communication includes a second request for information that is not private information of he first domain, the switching device forwarding the second request to the device of the second domain.
  - 24. The apparatus of claim 18, wherein the second device is a name server of the first domain.
  - 25. The apparatus of claim 18, wherein he switching device is part of a firewall of the first domain.
  - 27. The method of claim 22, wherein the private information of the first domain includes at least one of a domain name and an IP address of a device of the first domain.

26. A method of operation of an apparatus in a domain name system for filtering and restricting access to private information of a first domain the first domain being coupled to a second domain and the first and second domain comprising a plurality of devices, the method comprising:
- receiving a first communication from a first device of the first domain that is directed to a device of the second domain, the first communication including a first request for the private information of the first domain, andredirecting the first request for the private information of the first domain to a second device of the first domain;
  
  receiving a second communication from a device of the second domain destined to one of the devices of the first domain;
  
  generating filtered information by removing private information of the first domain from message data contained in the second communication; and
  
  forwarding the filtered information to the one of the devices of the first domain.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The method of claim 26, wherein the second communication is sent by the dice of the second domain in response to a query request by the one of the devices of the first domain, the second communication including additional information not requested by the one of the devices of the first domain, the generating filtered information step comprising:
    - removing the private information of the first domain from the additional information not requested by the one of the device of the first domain.
  - 29. The method of claim 26, further comprising:
    - modifying the second communication based on a local security administrative policy.
  - 30. The method of claim 29, wherein the local security administrative policy is to at least one of replace a pointer to a device of the second domain in the second communication with a pointer to a device in the first domain and modify a mail exchange record received from the second domain.
  - 31. The method of claim 26, further comprising:
    - forwarding a second request of the first communication to the device of the second domain, the second request requesting information not private to the first domain.
  - 32. The method of claim 26, wherein the second device is a name server of the first domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Cheswick, William Roberts, Bellovin, Steven Michael
Primary Examiner(s)
LE, DIEU MINH T

Application Number

US08/683,019
Time in Patent Office

1,169 Days
Field of Search

395/186, 395/187.01, 395/188.01, 395/609, 395/610, 395/200.79, 395/200.55, 380/3, 380/9, 380/23, 380/25, 707/9, 707/10
US Class Current

726/11
CPC Class Codes

H04L 61/35   involving non-standard use ...

H04L 61/4511   using domain name system [DNS]

H04L 63/02   for separating internal fro...

H04L 9/40   Network security protocols

Y10S 707/99939   Privileged access

Method and apparatus for restricting access to private information in domain name systems by filtering information

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for restricting access to private information in domain name systems by filtering information

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links